本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。 # 檢視器和 CloudFront 之間支援的通訊協定和密碼當您[在檢視器和 CloudFront 分佈之間請求 HTTPS 時](DownloadDistValuesCacheBehavior.md#DownloadDistValuesViewerProtocolPolicy)，您必須選擇[安全性政策](DownloadDistValuesGeneral.md#DownloadDistValues-security-policy)，以決定下列設定。 + CloudFront 用來與檢視者通訊的最低 SSL/TLS 通訊協定。 + CloudFront 可用來加密與檢視器通訊的密碼。若要選擇安全政策，請指定適用於 [安全政策 (最低 SSL/TLS 版本)](DownloadDistValuesGeneral.md#DownloadDistValues-security-policy) 的適用值。下表列出 CloudFront 可以用於每個安全原則的協定與密碼。檢視器必須支援至少一個受支援的密碼，建立與 CloudFront 的 HTTPS 連線。CloudFront 從檢視器支援的密碼中依列出的順序選擇密碼。另請參閱[OpenSSL、S2n 和 RFC 密碼名稱](#secure-connections-openssl-rfc-cipher-names)。

	安全政策
	SSLv3	TLSv1	TLSv1\_2016	TLSv1.1\_2016	TLSv1.2\_2018	TLSv1.2\_2019	TLSv1.2\_2021	TLSv1.2\_2025	TLSv1.3\_2025
支援的 SSL/TLS 通訊協定
TLSv1.3	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLSv1.2	♦	♦	♦	♦	♦	♦	♦	♦
TLSv1.1	♦	♦	♦	♦
TLSv1	♦	♦	♦
SSLv3	♦
支援的 TLSv1.3 密碼
TLS\_AES\_128\_GCM\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_AES\_256\_GCM\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_CHACHA20\_POLY1305\_SHA256	♦	♦	♦	♦	♦	♦	♦		♦
支援的 ECDSA 密碼
ECDHE-ECDSA-AES128-GCM-SHA256	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES128-SHA256	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES128-SHA	♦	♦	♦	♦
ECDHE-ECDSA-AES256-GCM-SHA384	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-CHACHA20-POLY1305	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES256-SHA384	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES256-SHA	♦	♦	♦	♦
支援的 RSA 密碼
ECDHE-RSA-AES128-GCM-SHA256	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES128-SHA256	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES128-SHA	♦	♦	♦	♦
ECDHE-RSA-AES256-GCM-SHA384	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-CHACHA20-POLY1305	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES256-SHA384	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES256-SHA	♦	♦	♦	♦
AES128-GCM-SHA256	♦	♦	♦	♦	♦
AES256-GCM-SHA384	♦	♦	♦	♦	♦
AES128-SHA256	♦	♦	♦	♦	♦
AES256-SHA	♦	♦	♦	♦
AES128-SHA	♦	♦	♦	♦
DES-CBC3-SHA	♦	♦
RC4-MD5	♦

## OpenSSL、S2n 和 RFC 密碼名稱 penSSL and [s2n](https://github.com/awslabs/s2n) 會使用與 TLS 標準不同的密碼名稱 ([RFC 2246](https://tools.ietf.org/html/rfc2246)、[RFC 4346](https://tools.ietf.org/html/rfc4346)、[RFC 5246](https://tools.ietf.org/html/rfc5246) 和 [RFC 8446](https://tools.ietf.org/html/rfc8446))。下表將 OpenSSL 和 s2n 名稱對應到每個密碼的 RFC 名稱。 CloudFront 支援傳統和量子安全金鑰交換。對於使用橢圓曲線的傳統金鑰交換，CloudFront 支援下列項目： + `prime256v1` + `X25519` + `secp384r1` 對於保護量子的金鑰交換，CloudFront 支援下列項目： + `X25519MLKEM768` + `SecP256r1MLKEM768` **注意** TLS 1.3 僅支援 Quantum 安全金鑰交換。TLS 1.2 和舊版不支援規定人數安全金鑰交換。如需詳細資訊，請參閱下列主題： + [後量子密碼學](https://aws.amazon.com/security/post-quantum-cryptography/) + [密碼編譯演算法和 AWS 服務](https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.html#algorithms) + [TLS 1.3 中的混合金鑰交換](https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/) 如需 CloudFront 憑證需求的詳細資訊，請參閱 [與 CloudFront 搭配使用 SSL/TLS 憑證的要求](cnames-and-https-requirements.md)。

OpenSSL 和 s2n 密碼名稱	RFC 密碼名稱
支援的 TLSv1.3 密碼
TLS\_AES\_128\_GCM\_SHA256	TLS\_AES\_128\_GCM\_SHA256
TLS\_AES\_256\_GCM\_SHA384	TLS\_AES\_256\_GCM\_SHA384
TLS\_CHACHA20\_POLY1305\_SHA256	TLS\_CHACHA20\_POLY1305\_SHA256
支援的 ECDSA 密碼
ECDHE-ECDSA-AES128-GCM-SHA256	TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
ECDHE-ECDSA-AES128-SHA256	TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256
ECDHE-ECDSA-AES128-SHA	TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA
ECDHE-ECDSA-AES256-GCM-SHA384	TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384
ECDHE-ECDSA-CHACHA20-POLY1305	TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256
ECDHE-ECDSA-AES256-SHA384	TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384
ECDHE-ECDSA-AES256-SHA	TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA
支援的 RSA 密碼
ECDHE-RSA-AES128-GCM-SHA256	TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
ECDHE-RSA-AES128-SHA256	TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
ECDHE-RSA-AES128-SHA	TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA
ECDHE-RSA-AES256-GCM-SHA384	TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
ECDHE-RSA-CHACHA20-POLY1305	TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256
ECDHE-RSA-AES256-SHA384	TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384
ECDHE-RSA-AES256-SHA	TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA
AES128-GCM-SHA256	TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256
AES256-GCM-SHA384	TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384
AES128-SHA256	TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256
AES256-SHA	TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA
AES128-SHA	TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA
DES-CBC3-SHA	TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA
RC4-MD5	TLS\_RSA\_WITH\_RC4\_128\_MD5

## 檢視器和檢視器之間支援的簽名結構描述和 CloudFront CloudFront 支援下列簽名結構描述，用於與檢視器之間的連結和 CloudFront。

	安全政策
簽章結構描述	SSLv3	TLSv1	TLSv1\_2016	TLSv1.1\_2016	TLSv1.2\_2018	TLSv1.2\_2019	TLSv1.2\_2021	TLSv1.2\_2025	TLSv1.3\_2025
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA224	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA224	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SECP256R1\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SECP384R1\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA1	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA1	♦	♦	♦	♦